Last week, on Thursday morning, I started to see what I call the first real shots being fired in the Cyber War of 2019 with Iran.  I thought I would write down a few thoughts I have regarding the situation in general.

For the past 18 months we at Milton Security had been tracking certain types of activity that we knew for certain or believed to be from Iran, across our customers. The types of activity ranged from simple to elaborate phishing attempts, password spray attempts (and successes in the cases of a few firms we know of including Citrix, which was made public). We also know of and tracked some counter developments.

In addition there is a possible double agent within Iran, who is dissatisfied with what was occurring, and has a grudge against the Iranian government. This individual has been releasing information, including doxing individuals in the Iranian government, and its defense contractors. They have listed out targets, tools and techniques used by the Iranian Cyber teams on Telegram.

When the drone was shot down by the Iranians, we knew this was going to escalate cyber activity against US targets. I am still trying to make sense of all the information around the downing of the drone. A few possibilities I have seen over the past 48 hours :

1. Our drone was in international waters and Iran struck it down
2. Our drone was in Iranian waters and Iran struck it down
3. Our drone was in international waters, Iran jammed the GPS on the drone which made the drone go off course into Iranian territory
4. Our drone was in international waters and a third party jammed the GPS on the drone which made the drone go off course in Iranian territory

Iran also stated that it had our Navy P-8 plane, which was monitoring the drone, in its sights and decided not to fire at it, since it had US Navy personnel onboard.

Now, I am not an expert in strategy or military operations, but knowing a little bit on how the US Navy and the US Coast Guard do operations, I do see the US Navy flying right along the demarcation line, much like we send US Navy and US Coast Guard vessels along the same line, to show there is an international presence, and do what’s called Freedom Of Navigation.  This ensures that commerce can go unimpeded.  This is also done frequently in the South China Sea contested areas as well.

This is also how the US Navy Riverine Boats were captured by the Iranians in 2016.  Running along the boundary and one of the vessels becoming dead in the water.  Was this also a case of GPS issues?

When President Trump decided at the last moment not to retaliate with weapons, this confused the Iranian side and it confused the American press.  It gave the Iranians time to regroup, and re-assess their defense against possible missile strikes. Wether this was a true case of having second thoughts of potentially killing 150 Iranian military and civilian personnel, or was it part of the plan, I guess depends on how you view this administration.

After the drone was struck down the US was able to accomplish retaliatory cyber strikes against Iranian computers systems that control their missiles and radar sites.

Since Thursday, our team at has seen the intensity of attempts increasing from potential Iranian backed actors. And this is not the end, just the beginning, of the Cyber War with Iran. The Whitehouse is looking to expand its cyber toolset, with greater flexibility in using cyber attacks.

This week is lining up to be very interesting. Tomorrow, President Trump said he will apply new sanctions against Iran, and Iran has stated they will bypass the nuclear 300 kilogram limit within 4 days.